On 9 June 2015 at 13:17, Erik de Hair <[email protected]> wrote: > Hi, > > Does it matter in what order vetoing permissions are defined?
Are you talking about the isisaddons module security? If so, it's discussed in [1] > So first vetoing permissions and then positive permissions, or the other > way around? Positive perms, then veto, but this is configurable; see [2] and the PermissionsEvaluationServiceAllowBeatsVeto and PermissionsEvaluationServiceVetoBeatsAllow services And does my realm.permissionsQuery in shiro.ini have any influence on this > mechanism? > > No; the permissions (which are also scoped and hierarchical) are resolved by the module internally. Ultimately the authorization info is held in the PrincipalForApplicationUser; see [3] HTH Dan > Thanks, > Erik > [1] https://github.com/isisaddons/isis-module-security#permissions-can-allow-or-veto-access [2] https://github.com/isisaddons/isis-module-security#isis-domain-services-isisproperties [3] https://github.com/isisaddons/isis-module-security/blob/master/dom/src/main/java/org/isisaddons/module/security/shiro/PrincipalForApplicationUser.java#L111
